Twitter
has
announced
an
intriguing
change
to
its
2FA
(two-factor
authentication)
system.
The
change
will
take
effect
in
about
a
month’s
time,
and
can
be
summarised
very
simply
in
the
following
short
piece
of
doggerel:
Using texts is insecure
for doing 2FA,
So if you want to keep it up
you're going to have to pay.
We
said
“about
a
month’s
time”
above
because
Twitter’s
announcement
is
somewhat
ambiguous
with
its
dates-and-days
calculations.
The
product
announcement
bulletin,
dated
2023-02-15,
says
that
users
with
text-message
(SMS)
based
2FA
“have
30
days
to
disable
this
method
and
enroll
in
another”.
If
you
include
the
day
of
the
announcement
in
that
30-day
period,
this
implies
that
SMS-based
2FA
will
be
discontinued
on
Thursday
2023-03-16.
If
you
assume
that
the
30-day
window
starts
at
the
beginning
of
the
next
full
day,
you’d
expect
SMS
2FA
to
stop
on
Friday
2023-03-17.
However,
the
bulletin
says
that
“after
20
March
2023,
we
will
no
longer
permit
non-Twitter
Blue
subscribers
to
use
text
messages
as
a
2FA
method.
At
that
time,
accounts
with
text
message
2FA
still
enabled
will
have
it
disabled.”
If
that’s
strictly
correct,
then
SMS-based
2FA
ends
at
the
start
of
Tuesday
21
March
2022
(in
an
undisclosed
timezone),
though
our
advice
is
to
take
the
shortest
possible
interpretation
so
you
don’t
get
caught
out.
SMS
considered
insecure
Simply
put,
Twitter
has
decided,
as
Reddit
did
a
few
years
ago,
that
one-time
security
codes
sent
via
SMS
are
no
longer
safe,
because
“unfortunately
we
have
seen
phone-number
based
2FA
be
used
–
and
abused
–
by
bad
actors.”
The
primary
objection
to
SMS-based
2FA
codes
is
that
determined
cybercriminals
have
learned
how
to
trick,
cajole
or
simply
to
bribe
employees
in
mobile
phone
companies
to
give
them
replacement
SIM
cards
programmed
with
someone
else’s
phone
number.
Legitimately
replacing
a
lost,
broken
or
stolen
SIM
card
is
obviously
a
desirable
feature
of
the
mobile
phone
network,
otherwise
you’d
have
to
get
a
new
phone
number
every
time
you
changed
SIM.
But
the
apparent
ease
with
which
some
crooks
have
learned
the
social
engineering
skills
to
“take
over”
other
people’s
numbers,
usually
with
the
very
specific
aim
of
getting
at
their
2FA
login
codes,
has
led
to
bad
publicity
for
text
messages
as
a
source
of
2FA
secrets.
This
sort
of
criminality
is
known
in
the
jargon
as
SIM-swapping,
but
it’s
not
strictly
any
sort
of
swap,
given
that
a
phone
number
can
only
be
programmed
into
one
SIM
card
at
a
time.
So,
when
the
mobile
phone
company
“swaps”
a
SIM,
it’s
actually
an
outright
replacement,
because
the
old
SIM
goes
dead
and
won’t
work
any
more.
Of
course,
if
you’re
replacing
your
own
SIM
because
your
phone
got
stolen,
that’s
a
great
security
feature,
because
it
restores
your
number
to
you,
and
ensures
that
the
thief
can’t
make
calls
on
your
dime,
or
listen
in
to
your
messages
and
calls.
But
if
the
tables
are
turned,
and
the
crooks
are
taking
over
your
SIM
card
illegally,
this
“feature”
turns
into
a
double
liability,
because
the
criminals
start
receiving
your
messages,
including
your
login
codes,
and
you
can’t
use
your
own
phone
to
report
the
problem!
Is
this
really
about
security?
Is
this
change
really
about
security,
or
is
it
simply
Twitter
aiming
to
simplify
its
IT
operations
and
save
money
by
cutting
down
on
the
number
of
text
messages
it
needs
to
send?
We
suspect
that
if
the
company
really
were
serious
about
retiring
SMS-based
login
authentication,
it
would
impel
all
its
users
to
switch
to
what
it
considers
more
secure
forms
of
2FA.
Ironically,
however,
users
who
pay
for
the
Twitter
Blue
service,
a
group
that
seems
to
include
high-profile
or
popular
users
whose
accounts
we
suspect
are
much
more
attractive
targets
for
cybercriminals…
…will
be
allowed
to
keep
using
the
very
2FA
process
that’s
not
considered
secure
enough
for
everyone
else.
SIM-swapping
attacks
are
difficult
for
criminals
to
pull
off
in
bulk,
because
a
SIM
swap
often
involves
sending
a
“mule”
(a
cybergang
member
or
“affiliate”
who
is
willing
or
desperate
enough
to
risk
showing
up
in
person
to
conduct
a
cybercrime)
into
a
mobile
phone
shop,
perhaps
with
fake
ID,
to
try
to
get
hold
of
a
specific
number.
In
other
words,
SIM-swapping
attacks
often
seem
to
be
premeditated,
planned
and
targeted,
based
on
an
account
for
which
the
criminals
already
know
the
username
and
password,
and
where
they
think
that
the
value
of
the
account
they’re
going
to
take
over
is
worth
the
time,
effort
and
risk
of
getting
caught
in
the
act.
So,
if
you
do
decide
to
go
for
Twitter
Blue,
we
suggest
that
you
don’t
carry
on
using
SMS-based
2FA,
even
though
you’ll
be
allowed
to,
because
you’ll
just
be
joining
a
smaller
pool
of
tastier
targets
for
SIM-swapping
cybergangs
to
attack.
Another
important
aspect
of
Twitter’s
announcement
is
that
although
the
company
is
no
longer
willing
to
send
you
2FA
codes
via
SMS
for
free,
and
cites
security
concerns
as
a
reason,
it
won’t
be
deleting
your
phone
number
once
it
stops
texting
you.
Even
though
Twitter
will
no
longer
need
your
number,
and
even
though
you
may
have
originally
provided
it
on
the
understanding
that
it
would
be
used
specificially
for
the
purpose
of
improving
login
security,
you’ll
need
to
remember
to
go
in
and
delete
it
yourself.
What
to
do?
-
If
you
already
are,
or
plan
to
become,
a
Twitter
Blue
member,
consider
switching
away
from
SMS-based
2FA
anyway.
As
mentioned
above,
SIM-swapping
attacks
tend
to
be
targeted,
because
they’re
tricky
to
do
in
bulk.
So,
if
SMS-based
login
codes
aren’t
safe
enough
for
the
rest
of
Twitter,
they’ll
be
even
less
safe
for
you
once
you’re
part
of
a
smaller,
more
select
group
of
users. -
If
you
are
a
non-Blue
Twitter
user
with
SMS
2FA
turned
on,
consider
switching
to
app-based
2FA
instead.
Please
don’t
simply
let
your
2FA
lapse
and
go
back
to
plain
old
password
authentication
if
you’re
one
of
the
security-conscious
minority
who
has
already
decided
to
accept
the
modest
inconvenience
of
2FA
into
your
digital
life.
Stay
out
in
front
as
a
cybersecurity
trend-setter! -
If
you
gave
Twitter
your
phone
number
specifically
for
2FA
messages,
don’t
forget
to
go
and
remove
it.
Twitter
won’t
be
deleting
any
stored
phone
numbers
automatically. -
If
you’re
already
using
app-based
authentication,
remember
that
your
2FA
codes
are
no
more
secure
than
SMS
messages
against
phishing.
App-based
2FA
codes
are
generally
protected
by
your
phone’s
lock
code
(because
the
code
sequence
is
based
on
a
“seed”
number
stored
securely
on
your
phone),
and
can’t
be
calculated
on
someone
else’s
phone,
even
if
they
put
your
SIM
into
their
device.
But
if
you
accidentally
reveal
your
latest
login
code
by
typing
it
into
a
fake
website
along
with
your
password,
you’ve
given
the
crooks
all
they
need
anyway,
whether
that
code
came
from
an
app
or
via
a
text
message. -
If
your
phone
loses
mobile
service
unexpectedly,
investigate
promptly
in
case
you’ve
been
SIM-swapped.
Even
if
you
aren’t
using
your
phone
for
2FA
codes,
a
crook
who’s
got
control
over
your
number
can
neverthless
send
and
receive
messages
in
your
name,
and
can
make
and
answer
calls
while
pretending
to
be
you.
Be
prepared
to
show
up
at
a
mobile
phone
store
in
person,
and
take
your
ID
and
account
receipts
with
you
if
you
can. -
If
haven’t
set
a
PIN
code
on
your
phone
SIM,
consider
doing
so
now.
A
thief
who
steals
your
phone
probably
won’t
be
able
to
unlock
it,
assuming
you’ve
set
a
decent
lock
code.
Don’t
make
it
easy
for
them
simply
to
eject
your
SIM
and
insert
it
into
another
device
to
take
over
your
calls
and
messages.
You’ll
only
need
to
enter
the
PIN
when
you
reboot
your
phone
or
power
it
up
after
turning
it
off,
so
the
effort
involved
is
minimal.
By
the
way,
if
you’re
comfortable
with
SMS-based
2FA,
and
are
worried
that
app-based
2FA
is
sufficiently
“different”
that
it
will
be
hard
to
master,
remember
that
app-based
2FA
codes
generally
require
a
phone
too,
so
your
login
workflow
doesn’t
change
much
at
all.
Instead
of
unlocking
your
phone,
waiting
for
a
code
to
arrive
in
a
text
message,
and
then
typing
that
code
into
your
browser…
…you
unlock
your
phone,
open
your
authenticator
app,
read
off
the
code
from
there,
and
type
that
into
your
browser
instead.
(The
numbers
typically
change
every
30
seconds
so
they
can’t
be
re-used.)
PS.
The
free
Sophos
Intercept
X
for
Mobile
security
app
(available
for
iOS
and
Android)
includes
an
authenticator
component
that
works
with
almost
all
online
services
that
support
app-based
2FA.
(The
system
generally
used
is
called
TOTP,
short
for
time-based
one-time
password.)
Authenticator
with
one
account
added.
(Add
as
many
as
you
want.)
The
countdown
timer
shows
you
how
long
the
current
code
is
still
valid
for.
About Author
